Compartilhar via


Allowing Inbound IPSec (IPv6) Traffic to Private Hosts (Windows Embedded CE 6.0)

1/6/2010

By default, the firewall blocks IPSec traffic just like any other inbound traffic. You can configure the firewall to allow inbound IPSec traffic to specific private hosts or to all private hosts by allowing rules for IP_PROTOCOL_AH (51) and IP_PROTOCOL_ESP (50) protocols, and creating an ALLOW rule for the Internet Key Exchange (IKE) packets (UDP port 500).

The following table shows how the members in this structure can be used to allow all inbound IPv6 IPSec traffic, including IKE, to all private hosts.

dwFlags PrivateHost.Family Protocol Port

FWF_ALLOW | FWF_INBOUND

AF_INET6

IP_PROTOCOL_AH

Not applicable

FWF_ALLOW | FWF_INBOUND

AF_INET6

IP_PROTOCOL_ESP

Not applicable

FWF_ALLOW | FWF_INBOUND

AF_INET6

IP_PROTOCOL_UDP

500

Registry entries for the rule

The following registry example shows the registry entries for this rule.

[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\InboundAH]
    "Mask"=dword:20         ; FWM_PROTOCOL 
    "Flags"=dword:A         ; FWF_ALLOW | FWF_INBOUND
    "PrivateHost"=hex:17,00         ; AF_INET6
    "Protocol"=dword:33     ; IP_PROTOCOL_AH

[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\InboundESP]
    "Mask"=dword:20         ; FWM_PROTOCOL 
    "Flags"=dword:A         ; FWF_ALLOW | FWF_INBOUND
    "PrivateHost"=hex:17,00         ; AF_INET6
    "Protocol"=dword:32     ; IP_PROTOCOL_ESP

[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\InboundUDP]
    "Mask"=dword:24         ; FWM_PROTOCOL | FWM_PORT
    "Flags"=dword:A         ; FWF_ALLOW | FWF_INBOUND
    "PrivateHost"=hex:17,00         ; AF_INET6
    "Protocol"=dword:11         ; IP_PROTOCOL_UDP
    "Port"=dword:1F4         ; 500

Code example to create the rule

The following code example shows this rule.

    FW_RULE InboundAH;
    // The following fields must always be set.
    InboundAH.dwSize = sizeof(FW_RULE);
    InboundAH.dwFlags = FWF_ALLOW | FWF_INBOUND;
    InboundAH.dwMask |= FWM_PROTOCOL;
    InboundAH.PrivateHost.Family = AF_INET6;
    InboundAH.wszDescription = L"Allows inbound AH packets";
    
    // Protocol.
    InboundAH.Protocol = IP_PROTOCOL_AH; 
     
    // Create a persistent rule.
    FirewallCreateRule(&InboundAH, TRUE); 

    FW_RULE InboundESP;
    // The following fields must always be set.
    InboundESP.dwSize = sizeof(FW_RULE);
    InboundESP.dwFlags = FWF_ALLOW | FWF_INBOUND;
    InboundESP.dwMask = FWM_PROTOCOL;
    InboundESP.PrivateHost.Family = AF_INET6;
    InboundESP.wszDescription = L"Allows inbound ESP packets";
    
    // Protocol.
    InboundESP.Protocol = IP_PROTOCOL_ESP; 
     
    // Create a persistent rule.
    FirewallCreateRule(&InboundESP, TRUE); 


    FW_RULE InboundUDP;
    // The following fields must always be set.
    InboundUDP.dwSize = sizeof(FW_RULE);
    InboundUDP.dwFlags = FWF_ALLOW | FWF_INBOUND;
    InboundUDP.dwMask = 0; //initialize to zero
    InboundUDP.PrivateHost.Family = AF_INET6;
    InboundUDP.wszDescription = L"Allows inbound Internet Key Exchange (UDP) packets";
    
    // Protocol.
    InboundUDP.dwMask |= FWM_PROTOCOL;
    InboundUDP.Protocol = IP_PROTOCOL_UDP; 
    
    // Port.    
    InboundUDP.dwMask |= FWM_PORT;
    InboundUDP.PortMin = 500;
    InboundUDP.PortMax = 500;
     
    // Create a persistent rule.
    FirewallCreateRule(&InboundUDP, TRUE); 

See Also

Other Resources

General Firewall Rule Examples